Opinion: Compiling evidence boils down to a matter of time

By

IT needs a consistent approach to creating timestamps for forensic computing.

Opinion: Compiling evidence boils down to a matter of time
Whenever evidence about what is found on a hard drive is put before courts, the lawyers usually fail to ask the right question. They want to know whether certain files are on there. They should be asking “How did it get there?” and “When did it get there?”

Accurate time determination is a crucial part of forensic computing evidence. If it got there before the accused owned the computer, then it is unlikely that he knew it was there. If the last accessed date is when the accused did not have access to the computer, then it is unlikely that he accessed the file concerned. But unless the timestamp is accurate, all the above are in doubt.

Most timestamps are produced from the computer’s internal clock, or from the clock of another computer that the file may have been transferred from. The potential for accidental or deliberate manipulation of the timestamp is huge, so the best form of evidence is from something outside of the target machine. Perhaps a transaction on a credit card issuer’s machine, or a PayPal invoice.

The documentation of timestamps created by software is woefully inadequate and the forensic investigator often has to experiment in order to ascertain what is being recorded. This is especially true where timestamps have been recovered from deleted records. In some cases timestamps are recorded differently in what are basically the same files.

Many pieces of evidence recovered during a forensic examination of a computer are partial fragments recovered from either a cache, or from the slack space between records. These often contain no time stamp information and so much will depend on the existence of circumstantial evidence. It is then up to the jury to determine if this is sufficiently beyond reasonable doubt to convict.

We need more information on timestamp formats, how the data is obtained and how it is recorded. This is research that could be conducted internationally and continuously into the future.

John Mitchell is a committee member of the BCS's Information Risk Management and Assurance Group.
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © 2010 Computing
Tags:
downevidencehardwarematteroftimeto

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

Porn industry standardises on HD-DVD

Porn industry standardises on HD-DVD
La Trobe ACAMI supercomputer comes online

La Trobe ACAMI supercomputer comes online
TfNSW extends deal for mobile phone detection cameras

TfNSW extends deal for mobile phone detection cameras
Australian teen leaks pictures of new iPhone parts

Australian teen leaks pictures of new iPhone parts
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?